New Locky Ransomware Attack Affecting Millions

There is a new Locky variant ransomware attack that is hitting at a steady rate of 2 million attacks an hour. Hackers are using 8,000 different versions of a widespread virus script, according to researchers from Barracuda Networks Inc. There were 20 million of these attacks within the first 24 hours after it was launched Tuesday morning. The magnitude of this attack is significant – growing rapidly and proving to be highly
destructive. The target: businesses or institutional
groups in the US and Canada.

How to Detect It:

The attacks are mainly coming through via email. Early on, emails from the campaign were a ‘Herbalife’ branded email or a generic email impersonating a ‘copier’ file delivery:

The latest variants include:

Email with ‘Emailing – <attachment name>.’ as the subject line. One example was:

Email with a paragraph about legalese to make it seem legitimate.

Email with “payment is attached” in the subject line to entice people to click on it.

How This Locky is Different:

While widespread email phishing campaigns that, when successful, distribute ransomware is nothing new, these attackers have added a twist by rotating the ransomware payload. Barracuda’s post stated that “these attacks are being automatically generated using a template that randomizes parts of the files. The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead of anti-virus engines.”

The two forms of ransomware being distributed are Locky – which has recently resurged – and FakeGlobe, which first appeared in June of this year. Those behind the campaign have designed it so the payload can be swapped – the spam email might deliver Locky one hour then FakeGlobe the next. Typically, we see a form of ransomware paired with a virus such as Trojan. In this case, we are seeing ransomware paired with ransomware, leading to a bigger payday for those behind the scheme.

They also noted that the Locky variant has a single identifier. This means that even if victims pay the ransom, they will not receive a decryption key. Instead, once Locky is installed, it then installs FakeGlobe. In that case, victims could be forced to pay up for both infections.

Who is Perpetrating the Hack?

Due to the hacker’s motives, it’s unlikely that a nation-state is behind the hack. Instead, we suspect the perpetrators are a small, sophisticated group of criminals. The attacks are originating in Vietnam for the most part, but also in India, Colombia, Turkey, Greece, and a few other countries.

The Future of Global Hacks:

While the messages from these hackers are all in English, Barracuda noticed that the virus programs are checking victims’ computers for language files. They concluded that “this may lead to an internationalized version of this attack in the future.”

Please let your staff know about this new an ongoing ransomware attack and ensure they are being extra careful not to click on email links unless they are 110% certain the email is valid. If in doubt, call the sender to see if they actually left the message. Also, make sure everything is backed up properly.

We are following news of this threat and will provide updates as they are available.

Based in Cary, North Carolina, Technology Associates is a full service technology consulting firm specializing in providing Managed IT Services for small to medium sized businesses (20 - 200 employees) throughout the Raleigh-Durham, Greensboro and Charlotte areas.

Managed IT Services is the core of what we do but using a unique approach developed over the past 20 years. We have a different perspective on IT costs and results which directly impact how we interact with our customers.

IT Support forms the foundation but it is much more than just picking up the phone when you have issues. ALL IT companies will do that. It is the specific processes and procedures we use to deliver our IT Services that set us apart.

If you have a business in Raleigh/Durham, Greensboro or Charlotte with 15 or more employees, we would love the opportunity to speak with you but chances are, you aren’t ready to make a change in your IT Vendor overnight.

So how about we just stay in touch until you are ready to learn more?

We publish a regular email newsletter packed full of helpful information. Just enter your informaiton below and we will ad you to the list – we promise not to share your information with anyone and you can unsubscribe at any time.